Editors

Get Updates via E-mail

Disclaimer

The content of this blog is intended for informational purposes only. It is not intended to solicit business or to provide legal advice. Laws differ by jurisdiction, and the information on this blog may not apply to every reader. You should not take, or refrain from taking, any legal action based upon the information contained on this blog without first seeking professional counsel. Your use of the blog does not create an attorney-client relationship between you and Arnold & Porter LLP. Click here to view additional disclaimer language.

February 01, 2013

Free Social Networking Under Threat from EU Regulation?

Since the European Commission published
its proposals
for the reform of EU data protection laws in January 2012, commentators have
been assessing the changes and speculating on what effects these might have on
businesses. A year on and the latest area under the spotlight is social
networking sites.

Background

It is nearly 20 years since the original
Data Protection Directive (Directive 95/46/EC) was implemented in the EU and
the Regulation aims to make data protection laws more relevant to today’s world
where individuals voluntarily share a vast amount of personal information
online, for example, through social networking sites.

The Commission wants to encourage
‘e-business’ by building trust in the online environment and one way of
accomplishing this, they hope, is by protecting individuals against threats to
their personal privacy associated with this ‘online world’.

Social
networking sites and your personal data

Many websites, including social
networking sites, rely on information gleaned from user data (for example
users’ preferences) which is sold to generate ad revenue. Generally, users
consent to the use of their personal information for such purposes when they
access the site and sign up (consents often being contained in the site’s
relevant T&Cs) and sites can change their T&Cs to modify how they use
personal data after users have signed up.

How
might the Regulation (as currently drafted) affect social networking sites?

Sites will be restricted as to the type
of data that can be collected. This must be limited to the minimum necessary
and collected only for specific, explicit, limited, legitimate purposes. So
collecting data on users’ preferences to generate ad revenue may not be
considered ‘legitimate’.

Users will be entitled to ‘privacy by
default’ (which, in the context of social networking, would mean that the
default settings must protect the privacy of users and users would be required
to take an active role in what they choose to share in the online environment
of the networking site) and sites will not simply be able to claim the right to
use personal data merely because a user has ‘consented’ through accepting a
site’s T&Cs. Additionally, sites will not be able to change these T&Cs
after users have signed up in order to give themselves greater rights over
personal data.

Users will also be able to withdraw their
consent to the processing of their personal data and request that it be
deleted/removed permanently. Undoubtedly this would create additional costs and
burdens for website owners, who will not be allowed to charge a fee to carry
out the request, particularly as there would also be an obligation to track
down and inform third parties of the user’s request where the website owner has
made the personal data public.

The upshot of these proposed changes is
that if sites cannot use personal information in a way that is profitable or
useful for advertising purposes, users may have to pay to use such sites.
Charging may also be necessary to cover the hefty fines (up to 2% of annual
worldwide revenues) companies may face for breaking the rules.

Next
steps

The European Parliament will shortly vote
on the adoption of the General Data Protection Regulation (2012/0011) which
will replace the existing Personal Data Protection Directive. Once adopted, the
Regulation is expected to come into force later this year and member states
will then have 2 years to enforce the legislation.